Lih Wern Wong
School of Computer and Information Science, Edith Cowan University
lihwern@yahoo.com

Abstract

Windows registry contains lots of information that are of potential evidential value or helpful in aiding forensic examiners on other aspects of forensic analysis. This paper discusses the basics of Windows XP registry and its structure, data hiding techniques in registry, and analysis on potential Windows XP registry entries that are of forensic values.

Keywords:

Windows registry, forensic analysis, data hiding

INTRODUCTION

Windows 9x/ME, Windows CE, Windows NT/2000/XP/2003 store configuration data in registry. It is a central repository for configuration data that is stored in a hierarchical manner. System, users, applications and hardware in Windows make use of the registry to store their configuration and it is constantly accessed for reference during their operation. The registry is introduced to replace most text-based configuration files used in Windows 3.x and MS-DOS, such as .ini files, autoexec.bat and config.sys. Due to the vast amount of information stored in Windows registry, the registry can be an excellent source for potential evidential data. For instance, windows registry contains information on user accounts, typed URLs, network shared, and Run command history. Aspects discussed in this paper are based solely on Windows XP (Service Pack 2) registry.

REGISTRY STRUCTURE

Figure 1 shows Windows registry logical view from Register Editor (Windows default register editor). Each folder in the left key pane is a registry key. The right panes show the key's value. Subkey is used to show the relationship between a key and the keys nested below it. Branch refers to a key and all its subkeys. Windows uses symbolic link (i.e. similar to file system's shortcut) to link a key to a different path which allows the same key and its values to appear at two different paths (Russinovich, 1999).

Figure 1: Windows Registry Logical View Key